cobaltstrike | 21ca3f7277748891e739cfc7319935b002e977f268ea25f6c8720a0148b9bedf

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5fcca96595f491e108bdfdc9c5d66f67
SHA1

844089ab0eadb8afb3c6b8e91089888e4db73867
SHA256

21ca3f7277748891e739cfc7319935b002e977f268ea25f6c8720a0148b9bedf
SHA512

9c6d78b893fddebb7f5ae7405b486ccf5632af0609ece0bf97cf3a5680cac7c6b574e7ec5244fe4e5e74459115b51a98304deda361902a4df5e76d52a74187a6
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lh:RWWBibf56utgpPFotBER/mQ32lU1

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a0000000234f3-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002350f-9.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002350b-20.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023511-26.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023513-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023514-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023512-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023510-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023515-52.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002350c-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023516-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023518-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023519-79.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351a-83.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351d-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351c-98.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351e-106.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351f-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023522-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023521-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023520-127.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/2284-23-0x00007FF719780000-0x00007FF719AD1000-memory.dmp	xmrig
behavioral2/memory/1152-54-0x00007FF703A10000-0x00007FF703D61000-memory.dmp	xmrig
behavioral2/memory/1512-64-0x00007FF7D7710000-0x00007FF7D7A61000-memory.dmp	xmrig
behavioral2/memory/212-65-0x00007FF783830000-0x00007FF783B81000-memory.dmp	xmrig
behavioral2/memory/2716-63-0x00007FF797FF0000-0x00007FF798341000-memory.dmp	xmrig
behavioral2/memory/1712-96-0x00007FF6D7210000-0x00007FF6D7561000-memory.dmp	xmrig
behavioral2/memory/4336-95-0x00007FF681CD0000-0x00007FF682021000-memory.dmp	xmrig
behavioral2/memory/1636-93-0x00007FF608110000-0x00007FF608461000-memory.dmp	xmrig
behavioral2/memory/3420-92-0x00007FF7B76A0000-0x00007FF7B79F1000-memory.dmp	xmrig
behavioral2/memory/4232-88-0x00007FF7D9840000-0x00007FF7D9B91000-memory.dmp	xmrig
behavioral2/memory/4444-102-0x00007FF71A0C0000-0x00007FF71A411000-memory.dmp	xmrig
behavioral2/memory/1220-129-0x00007FF750E40000-0x00007FF751191000-memory.dmp	xmrig
behavioral2/memory/1928-124-0x00007FF644A70000-0x00007FF644DC1000-memory.dmp	xmrig
behavioral2/memory/4920-115-0x00007FF6CF680000-0x00007FF6CF9D1000-memory.dmp	xmrig
behavioral2/memory/2052-136-0x00007FF652FD0000-0x00007FF653321000-memory.dmp	xmrig
behavioral2/memory/2624-135-0x00007FF7DDBD0000-0x00007FF7DDF21000-memory.dmp	xmrig
behavioral2/memory/1152-137-0x00007FF703A10000-0x00007FF703D61000-memory.dmp	xmrig
behavioral2/memory/4216-148-0x00007FF6475A0000-0x00007FF6478F1000-memory.dmp	xmrig
behavioral2/memory/648-155-0x00007FF7DE090000-0x00007FF7DE3E1000-memory.dmp	xmrig
behavioral2/memory/3616-156-0x00007FF7C2630000-0x00007FF7C2981000-memory.dmp	xmrig
behavioral2/memory/1900-158-0x00007FF6C0DA0000-0x00007FF6C10F1000-memory.dmp	xmrig
behavioral2/memory/1204-159-0x00007FF6D6CF0000-0x00007FF6D7041000-memory.dmp	xmrig
behavioral2/memory/1324-161-0x00007FF60E700000-0x00007FF60EA51000-memory.dmp	xmrig
behavioral2/memory/1152-162-0x00007FF703A10000-0x00007FF703D61000-memory.dmp	xmrig
behavioral2/memory/2716-217-0x00007FF797FF0000-0x00007FF798341000-memory.dmp	xmrig
behavioral2/memory/2284-219-0x00007FF719780000-0x00007FF719AD1000-memory.dmp	xmrig
behavioral2/memory/1512-221-0x00007FF7D7710000-0x00007FF7D7A61000-memory.dmp	xmrig
behavioral2/memory/4336-223-0x00007FF681CD0000-0x00007FF682021000-memory.dmp	xmrig
behavioral2/memory/4444-225-0x00007FF71A0C0000-0x00007FF71A411000-memory.dmp	xmrig
behavioral2/memory/4920-227-0x00007FF6CF680000-0x00007FF6CF9D1000-memory.dmp	xmrig
behavioral2/memory/1928-229-0x00007FF644A70000-0x00007FF644DC1000-memory.dmp	xmrig
behavioral2/memory/1220-231-0x00007FF750E40000-0x00007FF751191000-memory.dmp	xmrig
behavioral2/memory/212-236-0x00007FF783830000-0x00007FF783B81000-memory.dmp	xmrig
behavioral2/memory/2624-237-0x00007FF7DDBD0000-0x00007FF7DDF21000-memory.dmp	xmrig
behavioral2/memory/4232-244-0x00007FF7D9840000-0x00007FF7D9B91000-memory.dmp	xmrig
behavioral2/memory/3420-248-0x00007FF7B76A0000-0x00007FF7B79F1000-memory.dmp	xmrig
behavioral2/memory/1712-246-0x00007FF6D7210000-0x00007FF6D7561000-memory.dmp	xmrig
behavioral2/memory/1636-250-0x00007FF608110000-0x00007FF608461000-memory.dmp	xmrig
behavioral2/memory/648-252-0x00007FF7DE090000-0x00007FF7DE3E1000-memory.dmp	xmrig
behavioral2/memory/4216-254-0x00007FF6475A0000-0x00007FF6478F1000-memory.dmp	xmrig
behavioral2/memory/3616-261-0x00007FF7C2630000-0x00007FF7C2981000-memory.dmp	xmrig
behavioral2/memory/1900-263-0x00007FF6C0DA0000-0x00007FF6C10F1000-memory.dmp	xmrig
behavioral2/memory/1324-265-0x00007FF60E700000-0x00007FF60EA51000-memory.dmp	xmrig
behavioral2/memory/1204-268-0x00007FF6D6CF0000-0x00007FF6D7041000-memory.dmp	xmrig
behavioral2/memory/2052-269-0x00007FF652FD0000-0x00007FF653321000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2716	KbtadrJ.exe
1512	UZlAJCh.exe
2284	bgUeMrI.exe
4336	ZfpzChH.exe
4444	ZkbNuTh.exe
4920	FAeYciW.exe
1928	PRSCAeK.exe
1220	ELUExur.exe
2624	jmeUxfE.exe
212	tVNbYyL.exe
4232	cILjjun.exe
1712	QbGKUlO.exe
3420	TAvZbld.exe
1636	yqWHJIq.exe
648	WMKlLsu.exe
4216	eGHVtdT.exe
3616	yuelYbe.exe
1900	BcrINNN.exe
1204	LWBkDuy.exe
1324	SatTTDE.exe
2052	oLLWhmq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1152-0-0x00007FF703A10000-0x00007FF703D61000-memory.dmp	upx
behavioral2/files/0x000a0000000234f3-5.dat	upx
behavioral2/files/0x000700000002350f-9.dat	upx
behavioral2/memory/2716-6-0x00007FF797FF0000-0x00007FF798341000-memory.dmp	upx
behavioral2/memory/1512-18-0x00007FF7D7710000-0x00007FF7D7A61000-memory.dmp	upx
behavioral2/files/0x000800000002350b-20.dat	upx
behavioral2/memory/2284-23-0x00007FF719780000-0x00007FF719AD1000-memory.dmp	upx
behavioral2/files/0x0007000000023511-26.dat	upx
behavioral2/memory/4444-33-0x00007FF71A0C0000-0x00007FF71A411000-memory.dmp	upx
behavioral2/memory/4920-36-0x00007FF6CF680000-0x00007FF6CF9D1000-memory.dmp	upx
behavioral2/files/0x0007000000023513-40.dat	upx
behavioral2/files/0x0007000000023514-49.dat	upx
behavioral2/memory/1220-48-0x00007FF750E40000-0x00007FF751191000-memory.dmp	upx
behavioral2/memory/1928-44-0x00007FF644A70000-0x00007FF644DC1000-memory.dmp	upx
behavioral2/files/0x0007000000023512-39.dat	upx
behavioral2/memory/4336-27-0x00007FF681CD0000-0x00007FF682021000-memory.dmp	upx
behavioral2/files/0x0007000000023510-30.dat	upx
behavioral2/files/0x0007000000023515-52.dat	upx
behavioral2/memory/2624-55-0x00007FF7DDBD0000-0x00007FF7DDF21000-memory.dmp	upx
behavioral2/memory/1152-54-0x00007FF703A10000-0x00007FF703D61000-memory.dmp	upx
behavioral2/files/0x000800000002350c-59.dat	upx
behavioral2/memory/1512-64-0x00007FF7D7710000-0x00007FF7D7A61000-memory.dmp	upx
behavioral2/memory/212-65-0x00007FF783830000-0x00007FF783B81000-memory.dmp	upx
behavioral2/memory/2716-63-0x00007FF797FF0000-0x00007FF798341000-memory.dmp	upx
behavioral2/files/0x0007000000023516-68.dat	upx
behavioral2/files/0x0007000000023518-73.dat	upx
behavioral2/files/0x0007000000023519-79.dat	upx
behavioral2/files/0x000700000002351a-83.dat	upx
behavioral2/files/0x000700000002351d-91.dat	upx
behavioral2/memory/4216-94-0x00007FF6475A0000-0x00007FF6478F1000-memory.dmp	upx
behavioral2/memory/648-97-0x00007FF7DE090000-0x00007FF7DE3E1000-memory.dmp	upx
behavioral2/files/0x000700000002351c-98.dat	upx
behavioral2/memory/1712-96-0x00007FF6D7210000-0x00007FF6D7561000-memory.dmp	upx
behavioral2/memory/4336-95-0x00007FF681CD0000-0x00007FF682021000-memory.dmp	upx
behavioral2/memory/1636-93-0x00007FF608110000-0x00007FF608461000-memory.dmp	upx
behavioral2/memory/3420-92-0x00007FF7B76A0000-0x00007FF7B79F1000-memory.dmp	upx
behavioral2/memory/4232-88-0x00007FF7D9840000-0x00007FF7D9B91000-memory.dmp	upx
behavioral2/memory/4444-102-0x00007FF71A0C0000-0x00007FF71A411000-memory.dmp	upx
behavioral2/files/0x000700000002351e-106.dat	upx
behavioral2/memory/3616-107-0x00007FF7C2630000-0x00007FF7C2981000-memory.dmp	upx
behavioral2/files/0x000700000002351f-118.dat	upx
behavioral2/files/0x0007000000023522-123.dat	upx
behavioral2/memory/1204-125-0x00007FF6D6CF0000-0x00007FF6D7041000-memory.dmp	upx
behavioral2/files/0x0007000000023521-131.dat	upx
behavioral2/memory/1220-129-0x00007FF750E40000-0x00007FF751191000-memory.dmp	upx
behavioral2/files/0x0007000000023520-127.dat	upx
behavioral2/memory/1324-126-0x00007FF60E700000-0x00007FF60EA51000-memory.dmp	upx
behavioral2/memory/1928-124-0x00007FF644A70000-0x00007FF644DC1000-memory.dmp	upx
behavioral2/memory/1900-121-0x00007FF6C0DA0000-0x00007FF6C10F1000-memory.dmp	upx
behavioral2/memory/4920-115-0x00007FF6CF680000-0x00007FF6CF9D1000-memory.dmp	upx
behavioral2/memory/2052-136-0x00007FF652FD0000-0x00007FF653321000-memory.dmp	upx
behavioral2/memory/2624-135-0x00007FF7DDBD0000-0x00007FF7DDF21000-memory.dmp	upx
behavioral2/memory/1152-137-0x00007FF703A10000-0x00007FF703D61000-memory.dmp	upx
behavioral2/memory/4216-148-0x00007FF6475A0000-0x00007FF6478F1000-memory.dmp	upx
behavioral2/memory/648-155-0x00007FF7DE090000-0x00007FF7DE3E1000-memory.dmp	upx
behavioral2/memory/3616-156-0x00007FF7C2630000-0x00007FF7C2981000-memory.dmp	upx
behavioral2/memory/1900-158-0x00007FF6C0DA0000-0x00007FF6C10F1000-memory.dmp	upx
behavioral2/memory/1204-159-0x00007FF6D6CF0000-0x00007FF6D7041000-memory.dmp	upx
behavioral2/memory/1324-161-0x00007FF60E700000-0x00007FF60EA51000-memory.dmp	upx
behavioral2/memory/1152-162-0x00007FF703A10000-0x00007FF703D61000-memory.dmp	upx
behavioral2/memory/2716-217-0x00007FF797FF0000-0x00007FF798341000-memory.dmp	upx
behavioral2/memory/2284-219-0x00007FF719780000-0x00007FF719AD1000-memory.dmp	upx
behavioral2/memory/1512-221-0x00007FF7D7710000-0x00007FF7D7A61000-memory.dmp	upx
behavioral2/memory/4336-223-0x00007FF681CD0000-0x00007FF682021000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ELUExur.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cILjjun.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TAvZbld.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yuelYbe.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KbtadrJ.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UZlAJCh.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bgUeMrI.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PRSCAeK.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LWBkDuy.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FAeYciW.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yqWHJIq.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oLLWhmq.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZkbNuTh.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QbGKUlO.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eGHVtdT.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BcrINNN.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SatTTDE.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZfpzChH.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jmeUxfE.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tVNbYyL.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WMKlLsu.exe	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2716	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1152 wrote to memory of 2716	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1152 wrote to memory of 1512	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1152 wrote to memory of 1512	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1152 wrote to memory of 2284	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1152 wrote to memory of 2284	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1152 wrote to memory of 4336	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1152 wrote to memory of 4336	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1152 wrote to memory of 4444	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1152 wrote to memory of 4444	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1152 wrote to memory of 4920	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1152 wrote to memory of 4920	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1152 wrote to memory of 1928	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1152 wrote to memory of 1928	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1152 wrote to memory of 1220	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1152 wrote to memory of 1220	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1152 wrote to memory of 2624	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1152 wrote to memory of 2624	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1152 wrote to memory of 212	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1152 wrote to memory of 212	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1152 wrote to memory of 4232	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1152 wrote to memory of 4232	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1152 wrote to memory of 1712	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1152 wrote to memory of 1712	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1152 wrote to memory of 3420	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1152 wrote to memory of 3420	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1152 wrote to memory of 1636	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1152 wrote to memory of 1636	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1152 wrote to memory of 648	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1152 wrote to memory of 648	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1152 wrote to memory of 4216	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1152 wrote to memory of 4216	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1152 wrote to memory of 3616	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1152 wrote to memory of 3616	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1152 wrote to memory of 1900	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1152 wrote to memory of 1900	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1152 wrote to memory of 1204	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1152 wrote to memory of 1204	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1152 wrote to memory of 2052	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1152 wrote to memory of 2052	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 1152 wrote to memory of 1324	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 1152 wrote to memory of 1324	1152	2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_5fcca96595f491e108bdfdc9c5d66f67_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\System\KbtadrJ.exe
  C:\Windows\System\KbtadrJ.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\UZlAJCh.exe
  C:\Windows\System\UZlAJCh.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\bgUeMrI.exe
  C:\Windows\System\bgUeMrI.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\ZfpzChH.exe
  C:\Windows\System\ZfpzChH.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\ZkbNuTh.exe
  C:\Windows\System\ZkbNuTh.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\FAeYciW.exe
  C:\Windows\System\FAeYciW.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\PRSCAeK.exe
  C:\Windows\System\PRSCAeK.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\ELUExur.exe
  C:\Windows\System\ELUExur.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\jmeUxfE.exe
  C:\Windows\System\jmeUxfE.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\tVNbYyL.exe
  C:\Windows\System\tVNbYyL.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\cILjjun.exe
  C:\Windows\System\cILjjun.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\QbGKUlO.exe
  C:\Windows\System\QbGKUlO.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\TAvZbld.exe
  C:\Windows\System\TAvZbld.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System\yqWHJIq.exe
  C:\Windows\System\yqWHJIq.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\WMKlLsu.exe
  C:\Windows\System\WMKlLsu.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System\eGHVtdT.exe
  C:\Windows\System\eGHVtdT.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\yuelYbe.exe
  C:\Windows\System\yuelYbe.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\BcrINNN.exe
  C:\Windows\System\BcrINNN.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\LWBkDuy.exe
  C:\Windows\System\LWBkDuy.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\oLLWhmq.exe
  C:\Windows\System\oLLWhmq.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\SatTTDE.exe
  C:\Windows\System\SatTTDE.exe
  2⤵
  - Executes dropped EXE
  PID:1324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BcrINNN.exe

Filesize
5.2MB

MD5
5582d62a67700d6604856074d46d5e8d

SHA1
dcc83908275a8da065bc98457b603a83eaf8ec0f

SHA256
46a893491e8dbe70582dbb81e2771a45be52bba232e99e8760a9e13ce066893c

SHA512
542cbe9e00dbba09d6c0166c14042883007a3112c90c4dc0a888b4f0cffb7229912aabc37f5c7efcf0101c2286cc4906ddcbc9bd0e3a769a2bd9c5580a339b20

Download Submit
C:\Windows\System\ELUExur.exe

Filesize
5.2MB

MD5
cdeca375429e0e18f3875cc8aad62745

SHA1
78f711be2958a69abecec506011962c359e626a7

SHA256
03c5b98c55cb79a636b050e5df8f70d0f96d69a58b692480b6f72daa90afa60d

SHA512
f0f5d41cc425b750b7fb9864b5bdfac8885584213cbae03079444805b9eacb87742b885e6df2ecf57b15da5d0cfd84f7728a26b3aee79b49357880d9fcd397b2

Download Submit
C:\Windows\System\FAeYciW.exe

Filesize
5.2MB

MD5
3e866d8785f1f131543ea43a965b1e3b

SHA1
d6a46d49213959df56b023cf88c806a1d3a62074

SHA256
4c0859675dc75fc9d476b6f23f9aeb653270461d80cdded2d6a71d351f90e974

SHA512
36f22b8c8c90190666940b530cbb0375f1237d4f97b928e6f05fa25672ca861dc58d0ce8cb274433f7162bbea3b82ae723587b180a0c002f14c8108c6b3f9043

Download Submit
C:\Windows\System\KbtadrJ.exe

Filesize
5.2MB

MD5
cc7a232b8ebd72c7d8009aeb026fed07

SHA1
4a160f16ba44e0a0125a43a358dca2ccd709f796

SHA256
8d6ef9ff47398c8d0dd0ffe639c12275f0b80d7fbf8af484610e363dd8646519

SHA512
502d784a36e1f604d0fdd0ea04c1ea463215921b259e22adf5bca958c663072f66dca898b9aa4e9beec49cecc389486837cefdbf209f3439cda5498b12e2e9dc

Download Submit
C:\Windows\System\LWBkDuy.exe

Filesize
5.2MB

MD5
d8358ae758701941c007bbdf4cb6468b

SHA1
fec6f2683b2b2d7de72579f514ee289984595a48

SHA256
bdfc35892d3fa2b88833deb607e7caa6d828cce91f0e81529bb33e3f72223322

SHA512
2b7234600bab3d128b397a2f315dc868d2b69c61a2e22c56947d71421657a80eb5b3acd089229d16df9ab64fa3682cc4e8ddf107aaffacca5a2b28a8d986b00a

Download Submit
C:\Windows\System\PRSCAeK.exe

Filesize
5.2MB

MD5
c0a73ef187eb3da4d9b6d9dd610992cc

SHA1
0ff128374bf5701121f0bc6ec232f420dc1a7e44

SHA256
7dddf6eabf74851413ed806a5710194615fedbac7055120b6b1bbc0d581fce36

SHA512
c3c7b824df8f7fcb49acfc8611919cd0f29a1782f01c64c830f9b0a7a4d0a7e6ecfddb6c412ff42b7151bc4a6e4dbced2727e6f0b78d47d693154f1c3a0647af

Download Submit
C:\Windows\System\QbGKUlO.exe

Filesize
5.2MB

MD5
49c6a4b9e0fbed9c8f206463a525f767

SHA1
f167f7f32945fbdb73dd628cb5be15c6fefe2fec

SHA256
d94b3789812565aeeef92b84bb0bedb798b371c1cd2e40d92a0d3657d3b671a2

SHA512
6654ffb63b697d33c196b2fc9d9aa661b51bd2940a9a2ce1e1b6705a872ea71e355b753a63a3712e2168571c4c819425942a319c2d39c14e4081acafa6af7fda

Download Submit
C:\Windows\System\SatTTDE.exe

Filesize
5.2MB

MD5
cfb8da1bcbfc413d0e1d9bb8968c53a7

SHA1
f914beb356c64848fef60606970e359a80a7d936

SHA256
b4668d5207e9d0da0e9a0009e7f5fbc8764f50622709793985317535d1236180

SHA512
82885d1e4bd9d8af074abad372d457f428ec2a9b17c984a48678421031d031e3ed46ab0c2cad5dd395f372a623f5a34576e1d06079ac336bf59a7819733161a4

Download Submit
C:\Windows\System\TAvZbld.exe

Filesize
5.2MB

MD5
28eea332ad63d444a36455a9697ba248

SHA1
78685eb9f3db890e7b76d64642f57e3adf52cb17

SHA256
53e5340595d9d2fc8eecf02adbf05a25a2f7257397df1dd0cad5b7bccf2cbe80

SHA512
2ec769b0f48dbace2db2657bf4bb11008f6ad68aab43cf2f11e4efeb033b7dc58b9e0ceffafe8f1c62df1b299d7670a2facd12a70da1865265bb4955cb2b1d48

Download Submit
C:\Windows\System\UZlAJCh.exe

Filesize
5.2MB

MD5
0a4877399eae88bba292da7c917920c2

SHA1
7dd7f52e2f1ea2885e517524fb7ed08889aa53cb

SHA256
0df32c88c84f8be31efb1531278e1e7dfc30e5514a7ee553c6ef0d76283592f4

SHA512
68ac05c852e71dd3815dae832d2a576a80acd009f1677df2a077f87452e60f630954aa713e9551a3133ceeca8db026228533da21f5a8f11f0dc951b40588f6d7

Download Submit
C:\Windows\System\WMKlLsu.exe

Filesize
5.2MB

MD5
eef4c5ee27b3d15effedaeb2bea62492

SHA1
c6a8b2ec25e1907ffe791cd1e38b672fd666982b

SHA256
fe6b38310c64b4389014b50a2a7fa6ade792e34ade9c6bca2fee434bfffb526f

SHA512
4ddf937db6529f008c497cea954d4894e4415f6d940e55770ca9ba7ab80c7d87e67ca95ea630760ba76e7090f20afd38e65a4647b6548b87fa1f90af721e7b66

Download Submit
C:\Windows\System\ZfpzChH.exe

Filesize
5.2MB

MD5
701df646547681e25d8581fe33bf5bbc

SHA1
d7333dc05af242b913bc55a3dbe2dd2b98067642

SHA256
041ddde6f0cb41729154b3e01eda5adbec313ae0084581c227d06aedeeb84b20

SHA512
b1c5dac36ce915f940ae8257019a3991e02730486181f8d9c4fee3b9109ef688dc27d5ede1a202f154fbeb914a0c89f672b9e30c57b91a6be2c23d578848bc4d

Download Submit
C:\Windows\System\ZkbNuTh.exe

Filesize
5.2MB

MD5
9e334166067acc49aba108bbb3db8911

SHA1
e74e56ac68ccbf926e8e314a805c621c4b11d7c3

SHA256
7b7acd8fa45741517b2a1eb0ef6159bbadde8eb7262c8f8eccb7ab10eef7002a

SHA512
16d88f15b026afbfa17470fec7c27bda9c1624b53461de1307d9e5b95bb32080e88f200cfff91e750583b8228c714462e678673eefed89e8b5813440fa17da6d

Download Submit
C:\Windows\System\bgUeMrI.exe

Filesize
5.2MB

MD5
e626ded2b5e85598ab38a0373e8aa197

SHA1
c4cfcc1512ceaa763aa170843c30a42c5e040dbe

SHA256
ecc9e85f07bcc940b4805bf9831e66840415e59762ee9bea50b1bbc2e49ff11f

SHA512
bbc168267a6866e2ba180cee0355a7120436969031fc8c8e1a1ca878bb2105c6dab2d08b46d6472513c15e46b1d5d6b1ac711eaf4ac8cbda3842cb61f0356e67

Download Submit
C:\Windows\System\cILjjun.exe

Filesize
5.2MB

MD5
9223e56df171bcf7992c26d95926bb71

SHA1
fc3189c4403e4040654e352171f86c6490e23d00

SHA256
f02116bb6acd8e294e3d0f16e2a120f6af0ade5c8dd9166927d172d265723419

SHA512
be6138e99bfb6d1a011e3ffde87ec2419d4011de8291f3345857501ca01124b1286f82b9c67ffbd22a247e926c127a6e73cd2f574a8cb19968b68bf80ef32a67

Download Submit
C:\Windows\System\eGHVtdT.exe

Filesize
5.2MB

MD5
dd31af865c839c16a9af1ffa013c8488

SHA1
eb6be31ea301536a6a71c91fdd15491411e0d5ff

SHA256
cca09edf4f2a86511184baf2887163898d6a34a3882af38bc0437ab3aa337970

SHA512
816635d81ae5f33a6d31945bcd25973edab3e57b3096c79d0ad92ac673577070ff317b16ef8d80ac202ba6405d880695cbf2370ed494715d7628ba97b88323d8

Download Submit
C:\Windows\System\jmeUxfE.exe

Filesize
5.2MB

MD5
ee36786e9e7082e3237852d36ec248d5

SHA1
295b5113b40162f8396b887f5c4d783caa220ec9

SHA256
cc4e24817d5ce4551145c6e59884a100f7dae1d0be9de03eac4fd136f788f180

SHA512
362cd4e67518ef268e8ffa6ee15c8b857734b47f78ee329f3fd1b0953097b487f997f9dbd5dadaa01610d073eb6c24846f0761caf7879c09320ba7e40bfd0f57

Download Submit
C:\Windows\System\oLLWhmq.exe

Filesize
5.2MB

MD5
5bfef7113b6493ae81fbc4b3c4959dc6

SHA1
096bc68f8ce08d1e8d24b5410b97377a624f8691

SHA256
1d594df90e3308b94e547f9b5f096f6c7f72bc654326e94d909759125cb9089f

SHA512
6dd1747f9755a9cb970dae980ca2dc204fbeeda5d74d4ee932994280d8ae64501f3f969f62304235435cb5398b756740a0dea3e65241efc0f7b50e719178437d

Download Submit
C:\Windows\System\tVNbYyL.exe

Filesize
5.2MB

MD5
168b92168a44b594994fcf42c66160d3

SHA1
c62a330ed1d7a192c49e34f62299334647005943

SHA256
a1a1a4ab1580888db6d00e3708c82fb17352cbcf178450ceb3e218f5d176c7c6

SHA512
5ca303b3b3690e8040fb61c428519e1a834a70b1252328e638b9a1fac92853d730f92d7257226af692d75ffb9f585cd51fea386c97ed32c6c69a46613fd22335

Download Submit
C:\Windows\System\yqWHJIq.exe

Filesize
5.2MB

MD5
a5f9a5daa73388e2bc3dd68786036e55

SHA1
5f917bba566703977fc254b4ae31d6f7764eceec

SHA256
3ddc309dd606813687e730836ac96fb49d9c101cce60331dfbb6678c59f44739

SHA512
ef018a1ffa86fe6b14da889497c698d3394121300e70d0db5f842376987e151c10db647b7e9f4be12939e5207feecdd8bc887d93e358f01ca2f3aa2f9f64e155

Download Submit
C:\Windows\System\yuelYbe.exe

Filesize
5.2MB

MD5
bc6f57d5d81785e2bc792e4eed089dc3

SHA1
5f537d28098537280ad4126f078fb13eb1736449

SHA256
c1089e9a098fbb1cdcb794e802c35f796cfbb4573203cb4c044272efcd4cd9b0

SHA512
14e67bd2f01ca09d03d7335db7f805dab940d3737bac0aa633c4295fc2287ac7473cf3adeebd79d51c87294d7c9612094215d5e279d5cfe8683881524837a538

Download Submit
memory/212-236-0x00007FF783830000-0x00007FF783B81000-memory.dmp

Filesize
3.3MB

Download
memory/212-65-0x00007FF783830000-0x00007FF783B81000-memory.dmp

Filesize
3.3MB

Download
memory/648-97-0x00007FF7DE090000-0x00007FF7DE3E1000-memory.dmp

Filesize
3.3MB

Download
memory/648-252-0x00007FF7DE090000-0x00007FF7DE3E1000-memory.dmp

Filesize
3.3MB

Download
memory/648-155-0x00007FF7DE090000-0x00007FF7DE3E1000-memory.dmp

Filesize
3.3MB

Download
memory/1152-54-0x00007FF703A10000-0x00007FF703D61000-memory.dmp

Filesize
3.3MB

Download
memory/1152-162-0x00007FF703A10000-0x00007FF703D61000-memory.dmp

Filesize
3.3MB

Download
memory/1152-0-0x00007FF703A10000-0x00007FF703D61000-memory.dmp

Filesize
3.3MB

Download
memory/1152-137-0x00007FF703A10000-0x00007FF703D61000-memory.dmp

Filesize
3.3MB

Download
memory/1152-1-0x000001EC1CF40000-0x000001EC1CF50000-memory.dmp

Filesize
64KB

Download
memory/1204-159-0x00007FF6D6CF0000-0x00007FF6D7041000-memory.dmp

Filesize
3.3MB

Download
memory/1204-268-0x00007FF6D6CF0000-0x00007FF6D7041000-memory.dmp

Filesize
3.3MB

Download
memory/1204-125-0x00007FF6D6CF0000-0x00007FF6D7041000-memory.dmp

Filesize
3.3MB

Download
memory/1220-231-0x00007FF750E40000-0x00007FF751191000-memory.dmp

Filesize
3.3MB

Download
memory/1220-129-0x00007FF750E40000-0x00007FF751191000-memory.dmp

Filesize
3.3MB

Download
memory/1220-48-0x00007FF750E40000-0x00007FF751191000-memory.dmp

Filesize
3.3MB

Download
memory/1324-265-0x00007FF60E700000-0x00007FF60EA51000-memory.dmp

Filesize
3.3MB

Download
memory/1324-161-0x00007FF60E700000-0x00007FF60EA51000-memory.dmp

Filesize
3.3MB

Download
memory/1324-126-0x00007FF60E700000-0x00007FF60EA51000-memory.dmp

Filesize
3.3MB

Download
memory/1512-18-0x00007FF7D7710000-0x00007FF7D7A61000-memory.dmp

Filesize
3.3MB

Download
memory/1512-221-0x00007FF7D7710000-0x00007FF7D7A61000-memory.dmp

Filesize
3.3MB

Download
memory/1512-64-0x00007FF7D7710000-0x00007FF7D7A61000-memory.dmp

Filesize
3.3MB

Download
memory/1636-250-0x00007FF608110000-0x00007FF608461000-memory.dmp

Filesize
3.3MB

Download
memory/1636-93-0x00007FF608110000-0x00007FF608461000-memory.dmp

Filesize
3.3MB

Download
memory/1712-246-0x00007FF6D7210000-0x00007FF6D7561000-memory.dmp

Filesize
3.3MB

Download
memory/1712-96-0x00007FF6D7210000-0x00007FF6D7561000-memory.dmp

Filesize
3.3MB

Download
memory/1900-263-0x00007FF6C0DA0000-0x00007FF6C10F1000-memory.dmp

Filesize
3.3MB

Download
memory/1900-121-0x00007FF6C0DA0000-0x00007FF6C10F1000-memory.dmp

Filesize
3.3MB

Download
memory/1900-158-0x00007FF6C0DA0000-0x00007FF6C10F1000-memory.dmp

Filesize
3.3MB

Download
memory/1928-124-0x00007FF644A70000-0x00007FF644DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1928-229-0x00007FF644A70000-0x00007FF644DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1928-44-0x00007FF644A70000-0x00007FF644DC1000-memory.dmp

Filesize
3.3MB

Download
memory/2052-136-0x00007FF652FD0000-0x00007FF653321000-memory.dmp

Filesize
3.3MB

Download
memory/2052-269-0x00007FF652FD0000-0x00007FF653321000-memory.dmp

Filesize
3.3MB

Download
memory/2284-219-0x00007FF719780000-0x00007FF719AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-23-0x00007FF719780000-0x00007FF719AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-135-0x00007FF7DDBD0000-0x00007FF7DDF21000-memory.dmp

Filesize
3.3MB

Download
memory/2624-55-0x00007FF7DDBD0000-0x00007FF7DDF21000-memory.dmp

Filesize
3.3MB

Download
memory/2624-237-0x00007FF7DDBD0000-0x00007FF7DDF21000-memory.dmp

Filesize
3.3MB

Download
memory/2716-63-0x00007FF797FF0000-0x00007FF798341000-memory.dmp

Filesize
3.3MB

Download
memory/2716-217-0x00007FF797FF0000-0x00007FF798341000-memory.dmp

Filesize
3.3MB

Download
memory/2716-6-0x00007FF797FF0000-0x00007FF798341000-memory.dmp

Filesize
3.3MB

Download
memory/3420-92-0x00007FF7B76A0000-0x00007FF7B79F1000-memory.dmp

Filesize
3.3MB

Download
memory/3420-248-0x00007FF7B76A0000-0x00007FF7B79F1000-memory.dmp

Filesize
3.3MB

Download
memory/3616-107-0x00007FF7C2630000-0x00007FF7C2981000-memory.dmp

Filesize
3.3MB

Download
memory/3616-261-0x00007FF7C2630000-0x00007FF7C2981000-memory.dmp

Filesize
3.3MB

Download
memory/3616-156-0x00007FF7C2630000-0x00007FF7C2981000-memory.dmp

Filesize
3.3MB

Download
memory/4216-254-0x00007FF6475A0000-0x00007FF6478F1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-94-0x00007FF6475A0000-0x00007FF6478F1000-memory.dmp

Filesize
3.3MB

Download
memory/4216-148-0x00007FF6475A0000-0x00007FF6478F1000-memory.dmp

Filesize
3.3MB

Download
memory/4232-88-0x00007FF7D9840000-0x00007FF7D9B91000-memory.dmp

Filesize
3.3MB

Download
memory/4232-244-0x00007FF7D9840000-0x00007FF7D9B91000-memory.dmp

Filesize
3.3MB

Download
memory/4336-95-0x00007FF681CD0000-0x00007FF682021000-memory.dmp

Filesize
3.3MB

Download
memory/4336-223-0x00007FF681CD0000-0x00007FF682021000-memory.dmp

Filesize
3.3MB

Download
memory/4336-27-0x00007FF681CD0000-0x00007FF682021000-memory.dmp

Filesize
3.3MB

Download
memory/4444-102-0x00007FF71A0C0000-0x00007FF71A411000-memory.dmp

Filesize
3.3MB

Download
memory/4444-33-0x00007FF71A0C0000-0x00007FF71A411000-memory.dmp

Filesize
3.3MB

Download
memory/4444-225-0x00007FF71A0C0000-0x00007FF71A411000-memory.dmp

Filesize
3.3MB

Download
memory/4920-115-0x00007FF6CF680000-0x00007FF6CF9D1000-memory.dmp

Filesize
3.3MB

Download
memory/4920-36-0x00007FF6CF680000-0x00007FF6CF9D1000-memory.dmp

Filesize
3.3MB

Download
memory/4920-227-0x00007FF6CF680000-0x00007FF6CF9D1000-memory.dmp

Filesize
3.3MB

Download